Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
What are the least privileges required for a user to perform creates, deletes, modifications, backup, and recovery for an Amazon RDS DB instance?
I want to grant my AWS Identity and Access Management (IAM) users the minimum permissions needed to manage Amazon Relational Database Service (Amazon RDS) DB instances.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To configure IAM user access to your RDS DB instance, complete the following steps:
- Open the IAM console.
- In the navigation pane, choose Users.
- Choose Add user, and then enter a User name.
- For Access type, choose AWS Management Console access, and then create a password to use the Amazon RDS console. To provide access to the AWS CLI, choose Programmatic access.
Important: For Programmatic access, choose Download.csv to download the access key ID and the secret access key. You need the keys to create the security tokens later. - Review the permissions and tags, and then choose Create user.
Note: This creates an IAM user that has the IAMUserChangePassword policy. - Create IAM policies for the desired actions to perform in Amazon RDS.
- Add your IAM policies to your user.
Example IAM policies
The following example policies provide the least privileges required to perform the specified actions. You might see errors in the Amazon RDS console because the required permission isn't present in the policy. For example, you might see the IAMUser is not authorized to perform: rds:Action error message.
Errors might occur for Describe actions, but the error doesn't affect your ability to perform those actions. To avoid an error, modify the following example IAM policies or use the AWS CLI to perform actions.
Create and delete RDS DB instances
To allow users to create RDS DB instances without encryption activated, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup" ], "Resource": "*" } ] }
To allow users to create RDS DB instances that have encryption activated, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", "kms:ListAliases" ], "Resource": "*" } ] }
Note: To use a customer managed key for encryption, you must authorize the use of a customer managed key.
To allow users to delete RDS DB instances, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:DeleteDBInstance", "rds:DescribeDBInstances" ], "Resource": "*" } ] }
To allow users to create and delete RDS DB instances, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "rds:Describe*", "rds:ListTagsForResource", "rds:CreateDBInstance", "rds:CreateDBSubnetGroup", "rds:DeleteDBInstance" ], "Resource": "*" } ] }
Stop and start RDS DB instances
To allow users to start and stop RDS DB instances, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:StopDBInstance", "rds:StartDBInstance", "rds:Describe*" ], "Resource": "*" } ] }
Perform backup and recovery
To allow users to create DB snapshots, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*", "rds:CreateDBSnapshot" ], "Resource": "*" } ] }
To allow users to restore RDS DB instances that use DB snapshots, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:RestoreDBInstanceFromDBSnapshot" ], "Resource": "*" } ] }
To allow users to perform point-in-time recovery, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:RestoreDBInstanceToPointInTime" ], "Resource": "*" } ] }
Modify RDS DB instances
To allow users to change DB instance class type, allocated storage, storage type, and instance version, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:ModifyDBInstance" ], "Resource": "*" } ] }
Activate Enhanced Monitoring and Performance Insights
When you use an iam:PassRole, a wildcard (*) is overly permissive because it allows iam:PassRole permissions on all resources. It's a best practice to specify the ARNs.
To allow users to activate Enhanced Monitoring, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoles", "rds:ModifyDBInstance", "rds:Describe*", "ec2:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::AccountID:role/rds-monitoring-role" } ] }
Note: Make sure to replace AccountID with each user that's receiving the Enhanced Monitoring role.
To allow users to activate Performance Insights, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:ModifyDBInstance", "ec2:Describe*", "rds:Describe*", "pi:*" ], "Resource": "*" } ] }
Create, modify, and delete DB parameter groups and DB option groups
To allow users to create, modify, or delete DB parameter groups and option groups, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "rds:Describe*", "rds:CreateDBParameterGroup", "rds:ModifyDBParameterGroup", "rds:DeleteDBParameterGroup", "rds:CreateOptionGroup", "rds:ModifyOptionGroup", "rds:DeleteOptionGroup" ], "Resource": "*" } ] }
View Amazon CloudWatch metrics from the Amazon RDS console
To allow users to view CloudWatch metrics from the Amazon RDS console, use the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:Describe*", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" } ] }
Related information
Relevant content
- asked 2 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 7 months ago
